We are using spring ws as a filter to perform WS-Security based on Token, timestamp and signature on the incoming soap request.
We wants to prevent the XXE attack using the same filter and wondering if its possible.
We're using 'org.springframework.ws.soap.axiom.AxiomSoapMessageFactory' as a messageFactory and it has two setters 'setSupportingExternalEntities' & 'setReplacingEntityReferences' which are by default false.
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///c:/windows/win.ini"> ]>
Now if a entity is decalared using doctype in soap request and it is referred using &xxe; then spring framework throws back an error
org.apache.axiom.soap.SOAPProcessingException: A SOAP message cannot contain entity references because it must not have a DTD
2018-05-18T13:14:33,272 DEBUG [org.springframework.ws.soap.server.SoapMessageDispatcher] Endpoint invocation resulted in exception - responding with Fault
org.apache.axiom.soap.SOAPProcessingException: A SOAP message cannot contain entity references because it must not have a DTD
at org.apache.axiom.soap.impl.builder.StAXSOAPModelBuilder.createEntityReference(StAXSOAPModelBuilder.java:359) ~[axiom-api-1.2.15.jar:1.2.15]
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:279) ~[axiom-api-1.2.15.jar:1.2.15]But then this error does not come if we replace &name; with & ;xxe; or & xxe; Spring ws framework let it go through.
I don't want it to go through to any further processing so may be if possible we can somehow don't allow doctype declaration itself in the soap request.
thanks for any help and pointer(s) to resolve this
